Inconsistent Governance State Due to External Timelock Execution
Summary
The Governance contract fails to synchronize its internal state with the TimelockController when proposals are executed directly via the Timelock. This results in incorrect proposal statuses, allowing the Governance contract to report outdated or invalid states even after execution.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/proposals/Governance.sol
Vulnerability Details
The Governance contract tracks proposal execution solely via an executed flag, which is only updated when proposals are executed through its own execute function. If a proposal is directly executed via the TimelockController (e.g., by an address with the EXECUTOR_ROLE), the Governance contract’s state becomes inconsistent:
The executed flag remains false.
The state() function does not verify the Timelock’s execution status, leading to incorrect state reporting.
problematic implementation
Impact
Governance reports incorrect statuses (e.g., "Succeeded" instead of "Executed").
Off-chain systems relying on the state() function receive unreliable data.
Tools Used
Manual review
Recommendations
Sync Governance State with Timelock by modifying the state() function to check the Timelock’s execution status:
Lead Judging Commences
Governance::cancel and state lack synchronization with TimelockController
Governance::cancel and state lack synchronization with TimelockController
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.